Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

network: fix issues found by shellcheck

Browse Source
This commit is contained in:
Marek Marczykowski-Górecki 2017-09-30 03:17:14 +02:00
parent d332a43f6a
commit bb220ce2eb
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
12 changed files with 76 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
network/30-qubes-external-ip
View File

@ -1,8 +1,8 @@
#!/bin/sh #!/bin/sh
if [ x$2 = xup ]; then if [ "x$2" = xup ]; then
INET=$(/sbin/ip addr show dev $1 | /bin/grep inet) INET=$(/sbin/ip addr show dev "$1" | /bin/grep inet)
qubesdb-write /qubes-netvm-external-ip "$INET" qubesdb-write /qubes-netvm-external-ip "$INET"
fi fi
if [ x$2 = xdown ]; then if [ "x$2" = xdown ]; then
qubesdb-write /qubes-netvm-external-ip "" qubesdb-write /qubes-netvm-external-ip ""
fi fi

2
network/iptables-updates-proxy
View File

@ -14,7 +14,9 @@ COMMIT
__EOF__ __EOF__
else else
# Remove rules # Remove rules
# shellcheck disable=SC2086
iptables -D $RULE_FILTER iptables -D $RULE_FILTER
# shellcheck disable=SC2086
iptables -t nat -D $RULE_NAT iptables -t nat -D $RULE_NAT
exit 0 exit 0
fi fi

2
network/network-manager-prepare-conf-dir
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
NM_CONFIG_DIR=/etc/NetworkManager/system-connections NM_CONFIG_DIR=/etc/NetworkManager/system-connections
if [ -d $NM_CONFIG_DIR -a ! -h $NM_CONFIG_DIR ]; then if [ -d $NM_CONFIG_DIR ] && [ ! -h $NM_CONFIG_DIR ]; then
mkdir -p /rw/config/NM-system-connections mkdir -p /rw/config/NM-system-connections
mv $NM_CONFIG_DIR/* /rw/config/NM-system-connections/ 2> /dev/null || true mv $NM_CONFIG_DIR/* /rw/config/NM-system-connections/ 2> /dev/null || true
rmdir $NM_CONFIG_DIR rmdir $NM_CONFIG_DIR

8
network/qubes-fix-nm-conf.sh
View File

@ -1,19 +1,19 @@
#!/bin/sh #!/bin/sh
FILE=/etc/NetworkManager/NetworkManager.conf FILE=/etc/NetworkManager/NetworkManager.conf
VIFMAC=mac:fe:ff:ff:ff:ff:ff VIFMAC=mac:fe:ff:ff:ff:ff:ff
if ! grep -q ^plugins.*keyfile $FILE ; then if ! grep -q '^plugins.*keyfile' $FILE ; then
sed -i 's/^plugins.*$/&,keyfile/' $FILE sed -i 's/^plugins.*$/&,keyfile/' $FILE
fi fi
if grep -q ^plugins.*ifcfg-rh $FILE ; then if grep -q '^plugins.*ifcfg-rh' $FILE ; then
sed -i 's/^plugins=\(.*\)ifcfg-rh,\(.*\)$/plugins=\1\2/' $FILE sed -i 's/^plugins=\(.*\)ifcfg-rh,\(.*\)$/plugins=\1\2/' $FILE
fi fi
if ! grep -q '^\[keyfile\]$' $FILE ; then if ! grep -q '^\[keyfile\]$' $FILE ; then
echo '[keyfile]' >> $FILE echo '[keyfile]' >> $FILE
fi fi
if ! grep -q ^unmanaged-devices $FILE ; then if ! grep -q '^unmanaged-devices' $FILE ; then
sed -i 's/^\[keyfile\]$/\[keyfile\]\x0aunmanaged-devices='$VIFMAC/ $FILE sed -i 's/^\[keyfile\]$/\[keyfile\]\x0aunmanaged-devices='$VIFMAC/ $FILE
fi fi
if ! grep -q ^unmanaged-devices.*$VIFMAC $FILE ; then if ! grep -q "^unmanaged-devices.*$VIFMAC" $FILE ; then
sed -i 's/^unmanaged-devices.*$/&,'$VIFMAC/ $FILE sed -i 's/^unmanaged-devices.*$/&,'$VIFMAC/ $FILE
fi fi
exit 0 exit 0

5
network/qubes-iptables
View File

@ -35,8 +35,9 @@ start() {
echo -n $"${CMD}: Applying firewall rules: " echo -n $"${CMD}: Applying firewall rules: "
$CMD-restore $IPTABLES_DATA "$CMD-restore" "$IPTABLES_DATA"
if [ $? -eq 0 ]; then ret="$?"
if [ "$ret" -eq 0 ]; then
echo OK echo OK
else else
echo FAIL; return 1 echo FAIL; return 1

1
network/qubes-nmhook
View File

@ -1,6 +1,7 @@
#!/bin/sh #!/bin/sh
# Source Qubes library. # Source Qubes library.
# shellcheck source=init/functions
. /usr/lib/qubes/init/functions . /usr/lib/qubes/init/functions
/usr/lib/qubes/qubes-setup-dnat-to-ns /usr/lib/qubes/qubes-setup-dnat-to-ns

9
network/qubes-setup-dnat-to-ns
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
addrule() addrule()
{ {
if [ $FIRSTONE = yes ] ; then if [ "$FIRSTONE" = yes ] ; then
FIRSTONE=no FIRSTONE=no
RULE1="-A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $1 RULE1="-A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $1
-A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $1" -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $1"
@ -10,17 +10,18 @@ addrule()
else else
RULE2="-A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $1 RULE2="-A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $1
-A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $1" -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $1"
NS=$NS2
fi fi
} }
export PATH=$PATH:/sbin:/bin export PATH=$PATH:/sbin:/bin
# shellcheck disable=SC1091
. /var/run/qubes/qubes-ns . /var/run/qubes/qubes-ns
if [ "X"$NS1 = "X" ] ; then exit ; fi if [ "X$NS1" = "X" ] ; then exit ; fi
iptables -t nat -F PR-QBS iptables -t nat -F PR-QBS
FIRSTONE=yes FIRSTONE=yes
grep ^nameserver /etc/resolv.conf | grep -v ":.*:" | head -2 | grep ^nameserver /etc/resolv.conf | grep -v ":.*:" | head -2 |
( (
while read x y z ; do # shellcheck disable=SC2034
while read -r x y z ; do
addrule "$y" addrule "$y"
done done
(echo "*nat"; echo "$RULE1"; echo "$RULE2"; echo COMMIT) | iptables-restore -n (echo "*nat"; echo "$RULE1"; echo "$RULE2"; echo COMMIT) | iptables-restore -n

43
network/setup-ip
View File

@ -1,27 +1,28 @@
#!/bin/sh #!/bin/sh
# Source Qubes library. # Source Qubes library.
# shellcheck disable=SC1091
. /usr/lib/qubes/init/functions . /usr/lib/qubes/init/functions
have_qubesdb || exit 0 have_qubesdb || exit 0
ip=`/usr/bin/qubesdb-read /qubes-ip 2> /dev/null` ip=$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null)
if [ x$ip != x ]; then if [ "x$ip" != x ]; then
netmask=`/usr/bin/qubesdb-read /qubes-netmask` #netmask=$(/usr/bin/qubesdb-read /qubes-netmask)
gateway=`/usr/bin/qubesdb-read /qubes-gateway` gateway=$(/usr/bin/qubesdb-read /qubes-gateway)
primary_dns=`/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null || echo $gateway` primary_dns=$(/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null || echo "$gateway")
secondary_dns=`/usr/bin/qubesdb-read /qubes-secondary-dns` secondary_dns=$(/usr/bin/qubesdb-read /qubes-secondary-dns)
/sbin/ethtool -K $INTERFACE sg off /sbin/ethtool -K "$INTERFACE" sg off
/sbin/ethtool -K $INTERFACE tx off /sbin/ethtool -K "$INTERFACE" tx off
# If NetworkManager is enabled, let it configure the network # If NetworkManager is enabled, let it configure the network
if qsvc network-manager ; then if qsvc network-manager ; then
nm_config=/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE nm_config=/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE
cat > $nm_config <<__EOF__ cat > "$nm_config" <<__EOF__
[802-3-ethernet] [802-3-ethernet]
duplex=full duplex=full
[ethernet] [ethernet]
mac-address=`ip l show dev $INTERFACE |grep link|awk '{print $2}'` mac-address=$(ip l show dev "$INTERFACE" |grep link|awk '{print $2}')
[connection] [connection]
id=VM uplink $INTERFACE id=VM uplink $INTERFACE
@ -36,23 +37,23 @@ method=manual
may-fail=false may-fail=false
__EOF__ __EOF__
if ! qsvc disable-dns-server ; then if ! qsvc disable-dns-server ; then
echo "dns=$primary_dns;$secondary_dns" >> $nm_config echo "dns=$primary_dns;$secondary_dns" >> "$nm_config"
fi fi
if ! qsvc disable-default-route ; then if ! qsvc disable-default-route ; then
echo "addresses1=$ip;32;$gateway" >> $nm_config echo "addresses1=$ip;32;$gateway" >> "$nm_config"
else else
echo "addresses1=$ip;32" >> $nm_config echo "addresses1=$ip;32" >> "$nm_config"
fi fi
chmod 600 $nm_config chmod 600 "$nm_config"
# reload connection # reload connection
nmcli connection load $nm_config || : nmcli connection load "$nm_config" || :
else else
# No NetworkManager enabled, configure the network manually # No NetworkManager enabled, configure the network manually
/sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255 /sbin/ifconfig "$INTERFACE" "$ip" netmask 255.255.255.255
/sbin/ifconfig $INTERFACE up /sbin/ifconfig "$INTERFACE" up
/sbin/route add -host $gateway dev $INTERFACE /sbin/route add -host "$gateway" dev "$INTERFACE"
if ! qsvc disable-default-route ; then if ! qsvc disable-default-route ; then
/sbin/route add default gw $gateway /sbin/route add default gw "$gateway"
fi fi
if ! is_protected_file /etc/resolv.conf ; then if ! is_protected_file /etc/resolv.conf ; then
echo > /etc/resolv.conf echo > /etc/resolv.conf
@ -65,8 +66,8 @@ __EOF__
network=$(qubesdb-read /qubes-netvm-network 2>/dev/null) network=$(qubesdb-read /qubes-netvm-network 2>/dev/null)
if [ "x$network" != "x" ] && ! qsvc disable-dns-server ; then if [ "x$network" != "x" ] && ! qsvc disable-dns-server ; then
gateway=$(qubesdb-read /qubes-netvm-gateway) gateway=$(qubesdb-read /qubes-netvm-gateway)
netmask=$(qubesdb-read /qubes-netvm-netmask) #netmask=$(qubesdb-read /qubes-netvm-netmask)
primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo $gateway) primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo "$gateway")
secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns) secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns)
echo "NS1=$primary_dns" > /var/run/qubes/qubes-ns echo "NS1=$primary_dns" > /var/run/qubes/qubes-ns
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns

3
network/show-hide-nm-applet.sh
View File

@ -1,8 +1,9 @@
#!/bin/sh #!/bin/sh
type nm-applet > /dev/null 2>&1 || exit 0 command -v nm-applet > /dev/null 2>&1 || exit 0
# Source Qubes library. # Source Qubes library.
# shellcheck source=init/functions
. /usr/lib/qubes/init/functions . /usr/lib/qubes/init/functions
# Hide nm-applet when network-manager is disabled # Hide nm-applet when network-manager is disabled

22
network/update-proxy-configs
View File

@ -22,6 +22,7 @@
# #
# Source Qubes library. # Source Qubes library.
# shellcheck source=init/functions
. /usr/lib/qubes/init/functions . /usr/lib/qubes/init/functions
BEGIN_MARKER="### QUBES BEGIN ###" BEGIN_MARKER="### QUBES BEGIN ###"
@ -37,24 +38,25 @@ update_conf() {
local CONF_OPTIONS="$2" local CONF_OPTIONS="$2"
# Ensure that Qubes conf markers are present in the file # Ensure that Qubes conf markers are present in the file
if ! grep -q "$BEGIN_MARKER" $CONF_PATH; then if ! grep -q "$BEGIN_MARKER" "$CONF_PATH"; then
if grep -q "$END_MARKER" $CONF_PATH; then if grep -q "$END_MARKER" "$CONF_PATH"; then
echo "ERROR: found QUBES END marker but not QUBES BEGIN in ${CONF_PATH}" >&2 echo "ERROR: found QUBES END marker but not QUBES BEGIN in ${CONF_PATH}" >&2
echo "Fix the file by either removing both of them, or adding missing back and retry" >&2 echo "Fix the file by either removing both of them, or adding missing back and retry" >&2
exit 1 exit 1
fi fi
cp $CONF_PATH ${CONF_PATH}.qubes-orig cp "$CONF_PATH" "${CONF_PATH}.qubes-orig"
echo "$BEGIN_MARKER" >> $CONF_PATH echo "$BEGIN_MARKER" >> "$CONF_PATH"
echo "$END_MARKER" >> $CONF_PATH echo "$END_MARKER" >> "$CONF_PATH"
elif ! grep -q "$END_MARKER" $CONF_PATH; then elif ! grep -q "$END_MARKER" "$CONF_PATH"; then
echo "ERROR: found QUBES BEGIN marker but not QUBES END in ${CONF_PATH}" >&2 echo "ERROR: found QUBES BEGIN marker but not QUBES END in ${CONF_PATH}" >&2
echo "Fix the file by either removing both of them, or adding missing back and retry" >&2 echo "Fix the file by either removing both of them, or adding missing back and retry" >&2
exit 1 exit 1
fi fi
# Prepare config block # Prepare config block
local tmpfile=`mktemp` local tmpfile
cat > ${tmpfile} <<EOF tmpfile=$(mktemp)
cat > "${tmpfile}" <<EOF
# This part of configuration, until QUBES END, is automatically generated by # This part of configuration, until QUBES END, is automatically generated by
# $0. All changes here will be overriden. # $0. All changes here will be overriden.
# If you want to override any option set here, set it again to desired value, # If you want to override any option set here, set it again to desired value,
@ -67,8 +69,8 @@ EOF
/^$END_MARKER$/b /^$END_MARKER$/b
/^$BEGIN_MARKER$/!d /^$BEGIN_MARKER$/!d
r ${tmpfile} r ${tmpfile}
}" ${CONF_PATH} }" "${CONF_PATH}"
rm -f ${tmpfile} rm -f "${tmpfile}"
} }
### helper functions end ### helper functions end

1
network/vif-qubes-nat.sh
View File

@ -1,4 +1,5 @@
#!/bin/bash #!/bin/bash
# shellcheck disable=SC2154
#set -x #set -x
undetectable_netvm_ips= undetectable_netvm_ips=

35
network/vif-route-qubes
View File

@ -21,46 +21,51 @@
#============================================================================ #============================================================================
dir=$(dirname "$0") dir=$(dirname "$0")
# shellcheck disable=SC1091,SC1090
. "$dir/vif-common.sh" . "$dir/vif-common.sh"
#main_ip=$(dom0_ip) #main_ip=$(dom0_ip)
lockfile=/var/run/xen-hotplug/vif-lock lockfile=/var/run/xen-hotplug/vif-lock
# shellcheck disable=SC2154
if [ "${ip}" ]; then if [ "${ip}" ]; then
# IPs as seen by this VM # IPs as seen by this VM
netvm_ip="$ip" netvm_ip="$ip"
netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway` netvm_gw_ip=$(qubesdb-read /qubes-netvm-gateway)
netvm_dns1_ip=`qubesdb-read /qubes-netvm-primary-dns` netvm_dns1_ip=$(qubesdb-read /qubes-netvm-primary-dns)
netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns` netvm_dns2_ip=$(qubesdb-read /qubes-netvm-secondary-dns)
back_ip="$netvm_gw_ip" back_ip="$netvm_gw_ip"
# IPs as seen by the VM - if other than $netvm_ip # IPs as seen by the VM - if other than $netvm_ip
appvm_gw_ip="`qubesdb-read /mapped-ip/$ip/visible-gateway 2>/dev/null || :`" appvm_gw_ip="$(qubesdb-read "/mapped-ip/$ip/visible-gateway" 2>/dev/null || :)"
appvm_ip="`qubesdb-read /mapped-ip/$ip/visible-ip 2>/dev/null || :`" appvm_ip="$(qubesdb-read "/mapped-ip/$ip/visible-ip" 2>/dev/null || :)"
fi fi
# Apply NAT if IP visible from the VM is different than the "real" one # Apply NAT if IP visible from the VM is different than the "real" one
# See vif-qubes-nat.sh for details # See vif-qubes-nat.sh for details
if [ -n "$appvm_ip" -a -n "$appvm_gw_ip" -a "$appvm_ip" != "$netvm_ip" ]; then if [ -n "$appvm_ip" ] && [ -n "$appvm_gw_ip" ] && [ "$appvm_ip" != "$netvm_ip" ]; then
# shellcheck disable=SC2154
if test "$command" == online; then if test "$command" == online; then
echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp # shellcheck disable=SC2154
echo 1 >"/proc/sys/net/ipv4/conf/${vif}/proxy_arp"
fi fi
# shellcheck source=network/vif-qubes-nat.sh
. "$dir/vif-qubes-nat.sh" . "$dir/vif-qubes-nat.sh"
fi fi
# shellcheck disable=SC2154
case "$command" in case "$command" in
online) online)
ifconfig ${vif} up ifconfig "${vif}" up
echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp echo 1 >"/proc/sys/net/ipv4/conf/${vif}/proxy_arp"
ipcmd='add' ipcmd='add'
iptables_cmd='-I PREROUTING 1' iptables_cmd='-I PREROUTING 1'
cmdprefix='' cmdprefix=''
;; ;;
offline) offline)
do_without_error ifdown ${vif} do_without_error ifdown "${vif}"
ipcmd='del' ipcmd='del'
iptables_cmd='-D PREROUTING' iptables_cmd='-D PREROUTING'
cmdprefix='do_without_error' cmdprefix='do_without_error'
@ -71,23 +76,23 @@ domid=${vif/vif/}
domid=${domid/.*/} domid=${domid/.*/}
# metric must be possitive, but prefer later interface # metric must be possitive, but prefer later interface
# 32752 is max XID aka domid # 32752 is max XID aka domid
metric=$[ 32752 - $domid ] metric=$(( 32752 - domid ))
if [ "${ip}" ] ; then if [ "${ip}" ] ; then
# If we've been given a list of IP addresses, then add routes from dom0 to # If we've been given a list of IP addresses, then add routes from dom0 to
# the guest using those addresses. # the guest using those addresses.
for addr in ${ip} ; do for addr in ${ip} ; do
${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric ${cmdprefix} ip route "${ipcmd}" "${addr}" dev "${vif}" metric "$metric"
done done
echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \ echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \
${cmdprefix} flock $lockfile iptables-restore --noflush ${cmdprefix} flock $lockfile iptables-restore --noflush
${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif} ${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}"
fi fi
log debug "Successful vif-route-qubes $command for $vif." log debug "Successful vif-route-qubes $command for $vif."
if [ "$command" = "online" ] if [ "$command" = "online" ]
then then
# disable tx checksumming offload, apparently it doesn't work with our ancient qemu in stubdom # disable tx checksumming offload, apparently it doesn't work with our ancient qemu in stubdom
do_without_error ethtool -K $vif tx off do_without_error ethtool -K "$vif" tx off
success success
fi fi